[ Posted to the full-disclosure mailing list ]
[PHC]
Your network will never be secure.
[paul]
This is a given.
- -------------------------------------------------------------------------------
%Point 1% You agree this is a given.
- -------------------------------------------------------------------------------
[PHC]
People seem to think Attack Windows -- a term coined by the same class
of people who brought you the Nop Sled (tm) -- exist between public
vulnerability disclosure and public patch release. This is untrue;
Attack Windows exist from public vulnerability disclosure right back
into the long forgotten past.
Example: if in 2010 a vulnerability is publicly disclosed in a widely
used program that has been used for 20 years, then every box on the
planet using that program has been at risk for 20 years, and not merely
the week or so between public announcement and public fix. In
retrospect, the security industry accomplished nothing in 20 years,
except stuffing their pockets with cash and generating a false sense of
security.
[paul]
Agreed, as to the first part, but your conclusion doesn't follow. They
may have accomplished nothing WRT that one weakness. That says nothing
about other weaknesses they may have exposed and which got fixed as a
result.
Do you *really* expect intelligent people to believe that the
"Trustworthy Computing" initiative that Microsoft has undertaken would
have *ever* happened without the steady stream of embarrassing
disclosures, culminating in the awful buffer overflow in UPnP, that led
up to that announcement? Frankly, that stretches credulity to the
breaking point!
- --------------------------------------------------------------------------------
Granted, the security community may have increased vendor awareness, but
awareness alone does not lead to security. Even people who tug to security
24/7, like Theo de Raadt, have failed miserably.
It's wrong to expect Microsoft to develop perfectly secure software, just like
it's wrong to expect anyone else to be able to. Yet this doesn't stop the
security industry banging on about it, contradicting their "there is no such
thing as perfectly secure software."
I'm sure you realize the argument is not about "what brings security," as
absolutes are not possible, but "what brings a better level of security." Based
on the article mentioned in Sermon #3 and the articles of Marcus Ranum (both
written by prominent 'whitehats', hence no ulterior 'blackhat motives'),
non-disclosure leads to a better level of security in the short-term.
Therefore, it remains only to be contested whether full disclosure leads to
better security in the long-term. Since non-disclosure has a foundation in the
short-term as being a workable solution, whilst full disclosure in the
short-term is detrimental (a "necessary evil"), we feel that the burden of
proof is on the security industry to tell us why full disclosure in the
long-term will be any different to full disclosure in the short-term. We don't
believe it will be; we believe this "necessary evil" in the short-term will
only intensify as time goes by. We base this belief on the pattern that has
evolved over the last decade during the Reign of Full Disclosure. Logical
projection into the future tells us it will continue. We may be wrong, and we
invite correction.
- --------------------------------------------------------------------------------
If the security industry wasn't constantly exposing Microsoft's warts,
there would be no "Trustworthy Computing" initiative, there would be no
security department at Microsoft, there would be no security bulletins,
there would be no "hotfixes".
You cannot honestly believe that, in the face of Microsoft's awful
security record, that silence would be the correct behavior!
[PHC]
Insecurity will be perpetual. As democow said, blackhats will always be
able to compromise you. Scriptkids will not be able to compromise you if
you always manage to win the scriptkid-admin race that occurs when a new
bug is disclosed on a security mailing list. However, not all admins
will be so lucky. The security industry in this manner has increased not
only the number of attackers exponentially, but the threat to the
Internet at large. This is a cycle that can stop, but it won't happen
while the security industry can make money on it. They need figures and
statistics to market their flimsy products. They need visible threats to
justify their existence. They need widespread defacements and system
compromises.
[paul]
And the alternative is?
- --------------------------------------------------------------------------------
NON-DISCLOSURE
==============
short-term
- ----------
attackers: blackhats/professionals
long-term
- ---------
attackers: blackhats/professionals
FULL DISCLOSURE
===============
short-term
- ----------
attackers: blackhats/professionals
attackers: inordinate number of scriptkids
long-term
- ---------
attackers: blackhats/professionals (based on %Point 1%)
*** Is this stage (full disclosure, long-term) even reached? And if so, what
*** did it achieve that non-disclosure didn't, other than injecting scriptkids
*** into the digital ecosystem, causing a greater number of admins headaches,
*** and allowing the security industry to stuff their pockets with cash?
- --------------------------------------------------------------------------------
Assume for a moment that everything you've said so far is correct.
Assume further that there is no security industry to "blow the whistle".
Then this is the situation: all systems are insecure by default and will
always be insecure, and the holes are only known by a select few, the
so-called blackhats. What options do the network admins have then?
- --------------------------------------------------------------------------------
Blackhats exist in both schemes. There's nothing we can do to stop them. It's
just a question of which scheme brings subsidiary pains-in-the-ass and which
doesn't.
- --------------------------------------------------------------------------------
I submit they have none. Each time a system is compromised, the admin
then either has to learn enough programming to be able to *correctly*
understand the source of the problem (assuming he has access to the
source) *or* demand that the vendor fix the problem that allowed the
breakin. But the admin has no leverage with the vendor. He's already
paid for the software. He has no contract with the vendor to protect
him. Even if he can motivate the vendor to fix the problem, it's
probably going to be in a new release, not in the existing one (because
then the vendor would have to announce the problem to all his
customers.) Furthermore, that admin has an ethical obligation to let
other users know about the weakness. Otherwise he is culpable in their
future breakins.
[PHC]
In the SecurityFocus article, _Full disclosure is a necessary evil_,
Elias Levy agrees that full disclosure brings more short-term insecurity
than non-disclosure does. So it's not only the 'blackhats' who see this.
However, Levy qualifies this short-term insecurity as a "necessary evil"
to effect long-term security. Just HOW long-term is a matter of
conjecture, but based on the security industry's own tenet that "no
software, system, or network can be totally secure," we don't ever see
the final destination being reached by the security industry. Instead,
we see them as the purveyors of lies and broken promises who will never
be able to deliver what they're paid for. This holds true even for the
5% of 'programmer-phrack-magazine-esque' security professionals Who Have
A Clue. The crazy thing is that it's their inability to deliver the
goods that keeps them in business. While they rake in large amounts of
cash and fail miserably at their self-appointed task, their failures
succeed in convincing the gullible that they're still needed.
[paul]
You can't have your cake and eat it too. If, as you say, there will
never be anything like total security in software, then you can't also
accuse the security industry of having failed in their mission, simply
because the forgone conclusion has been reached. Under the conditions
which you describe, success can never be reached.
- --------------------------------------------------------------------------------
Success can never be reached, hence the security industry is bound to be
unsuccessful in the long-term. Therefore, the other alternative may be more
palatable.
- --------------------------------------------------------------------------------
However, if the security industry has helped close one single hole, then
they have succeeded more than if they had done nothing, which is what
you're advocating.
- --------------------------------------------------------------------------------
They have closed one single hole, which did what? Publicly announced the hole
to the scriptkid population, allowing them to attack the greater majority of
admins who aren't as diligent as you are, all in the name of a future Utopia
that we have no reason to believe will even occur. Meanwhile, the blackhats
carry on unhindered, due to their alleged resourcefulness, creativity, and
persistence. So you've won the scriptkid-admin race yet again, but other admins
might not be so lucky -- the greater number of admins, in fact.
- --------------------------------------------------------------------------------
Furthermore, you cannot accuse the security industry of failing because the
software vendors have failed to program securely. The security industry's job
is to reveal the problem and suggest solutions. They cannot force the vendor's
to fix the problem.
[PHC]
There was a Vuln-Dev thread on Alan Turing's "Halting Problem" (we
remember this thread because it was probably the only educated thread
ever to appear on Vuln-Dev, not to mention a brilliant battle of wits
between Lcamtuf-the-Brain and Mixter-the-Fucking-Narc) that brought the
identification of security holes in software under the light of
elementary discrete mathematics. This added to the tenet mentioned
above. We mention this to reiterate what we said in Sermon #2 about all
disciplines of study being applicable in some way, however slight, to
the problem we seek to change. See, even a math nerd can help us.
[paul]
Try to understand the problem from the viewpoint of a network admin.
Most could care less about the philsophical debates that surround these
issues. Most don't want to learn to program, more than what is
necessary to automate routine tasks. They don't want to master multiple
disciplines *in addition to* their chosen profesion, and they don't want
- --------------------------------------------------------------------------------
We do understand the problem from the viewpoint of a network admin. A lot of us
are network admins ourselves. The point about using a multi-disciplinary
argument was so that everyone who cares to hear our views can hear them from
the discipline they're most accustomed to. Philosophers want philosophical
arguments, theologists want theological arguments, scientists want empirical
arguments, and so forth. We are lacking in many areas, which is why we invited
the submissions of more educated individuals in those areas.
- --------------------------------------------------------------------------------
to have to deal with breakins on top of all the other problems that come
with trying to network heterogeneous systems and protocols so that users
can seamlessly access what they want and need to access. What you are
advocating is that they simply "deal with it", rather than offering any
solutions to the problem.
- --------------------------------------------------------------------------------
We are advocating the removal of their need to deal with scriptkids. This
should be far less taxing on their time and energy.
- --------------------------------------------------------------------------------
[PHC]
In summary, the security industry is reaping large sums of money for
doing absolutely nothing for Internet security.
[paul]
You can't make this leap of logic from the evidence that you've
presented. You claim that it's impossible to completely secure software
systems. Then you accuse the security industry of having failed because
they haven't completely secured those systems.
- --------------------------------------------------------------------------------
We claim that it's impossible to completely secure software, by the admission
of security professionals themselves, THEREFORE we accuse them of being
money-mongering criminals (?) who know deep down that they're chasing the
wind, securing nothing other than their employment status.
- --------------------------------------------------------------------------------
And if the security
industry has caused the "Trustworth Computing" intiative to come to
pass, then you certainly can't accuse them of "doing absolutely
nothing".
[snipped the irrelevant political diatribe]
[PHC]
We can churn out sermon after sermon, but it will do little good if
nobody gives a damn. We're not fools to believe all this talk will do
anything great. If you see what we are fighting for, then PLEASE
contribute Stuff to the cause, where Stuff can be textfiles, graphics,
old AntiSec posts, ideas, constructive criticism, whatever.
[paul]
What I see you preaching for is for my network to remain vulnerable and
compromised forever. That's not a goal I would work for. So why should
I assist you in yours?
- --------------------------------------------------------------------------------
No, you agree by %Point 1% that it will always be insecure. So why not cut down
on the number of people who can cause you grief? Full disclosure certainly
doesn't do it, not with its "necessary evil."
- --------------------------------------------------------------------------------
[PHC]
And if you call anything that moves a "scriptkid" or a "lamer," for
fuck's sake, do not bother replying to this.
[paul]
No, I call people who break in to other people's computers jerks. I
really could care less what motivates them to do it.
- --------------------------------------------------------------------------------
Paul, that comment was directed at other critics who don't even bother reading
what we write, like the individual who first replied to Sermon #2.
- --------------------------------------------------------------------------------
Paul Schmehl (pauls@utdallas.edu)
TCS Department Coordinator
University of Texas at Dallas
http://www.utdallas.edu/~pauls/
PHC
Sermon #4
http://phrack.efnet.ru | http://phrack.ru
"Join us to teach and learn."